US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks.
The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 score on the CVSSv3 severity scale. A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn’t require advanced technical skills, and it’s remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device.
In short, the vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials. Once exploited, the bug allows hackers to change PAN-OS settings and features. This is scary because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS device.
This remote exploit is enabled by a very common setup on Palo Alto gear, namely bypassing identity provider certificate verification, and using SAML to interface with back-end authorization services. Half of the problem is the classic tradeoff that IT must make between security versus usability due to the difficulty in managing certificates. The other half of the problem is that ancient protocols like SAML are often saddled with bandaids and cruft built up over time, making them cumbersome for developers to implement securely. Complexity in system configuration, certificate management, or protocol implementation all provide avenues for exploitation.
Fortunately, there are newer methods of implementing VPNs with modern protocols that are much stronger, such as Host Identity Protocol (HIP) and Open ID Connect (OIDC). These provide separation between visible IP addresses and the actual identities of the devices and infrastructure, so attackers can\’t even see the VPN concentrators on the network, let alone exploit the back-end identity provider integration. We recommend that all VPN deployments be built on top of HIP, require multiple factors of authentication, and that OIDC be used to integrate with the identity provider. SAML has had its run, but it\’s time for a refresh.